Zombie cookie wars: evil tracking API meant to “raise awareness”

One developer has created an open source JavaScript API that stores online …

The war against persistent zombie cookies—cookies that never seem to lose your data, even when you delete them—rages on, as users learn more about the technology. While awareness is rising thanks to widespread coverage of Flash cookies and, more recently, HTML5's storage capabilities, we have a long way to go before Internet users can avoid persistent tracking. Like all zombie wars, this one will take some time to win; and if you thought things were bad now, they're about to get worse.

Case in point: evercookie, an open source JavaScript API by developer Samy Kamkar. When implemented by a website, evercookie stores a user ID and cookie data in not two, not three, but eight different places—with more on the way. Among them are your standard HTTP cookies, Flash cookies, RGB values of force-cached PNGs, your Web history, and a smattering of HTML5 storage features. In addition, Silverlight Storage and Java are apparently on the way.

So, when you delete the cookie in one, three, or five places, evercookie can dip into one of its many other repositories to poll your user ID and restore the data tracking cookies. It works cross-browser, too—if the Local Shared Object cookie is intact, evercookie can spread to whatever other browsers you choose to use on the same machine. Since most users are barely aware of these storage methods, it's unlikely that users will ever delete all of them.

"Simply think of it as cookies that just won't go away," reads the evercookie FAQ.

Sound evil? It is. But Kamkar—whose motto is "think bad, do good"—doesn't seem all that evil. In fact, Kamkar told Ars that he wrote evercookie to raise user awareness about the ways in which companies can track them.

"I hope evercookie simply demonstrates to people what types of methods are being employed to track them and to decide whether or not they want to prevent those methods," he said. "evercookie took less than a day to create for me as a security hobbyist, so I can only imagine the technology that funded developers are producing."

Kamkar says he doesn't actually use evercookie to track people—it exists largely as a proof of concept, and he's not using technologies that are particularly bleeding edge in the developer world.

"None of these are new techniques," he told Ars, "but an API like this is awesome at raising awareness."

Of course, the mere fact that evercookie exists (and exists as an open source project that anyone can use) means that there will be some evil Web developers who make use of it, but that's almost the point. We're supposed to be scared.

Kamkar sees his project as a kind of litmus test to see whether people really are up to protecting themselves from being tracked by persistent cookies that anyone could implement, but he also understands that the "average" Internet user is hardly aware of traditional cookies, much less Flash cookies and beyond. Deleting the data from all eight (or more) storage mechanisms can be a pretty daunting task even for the relatively experienced surfer.

"I hope to produce software that allows deleting data from any and all of these storage mechanisms for the average user to make use of," Kamkar said. "I also hope evercookie stems others to develop similar software."

Kamkar's API comes just days after a lawsuit was filed against a company for making use of the HTML5 Web SQL database storage capabilities that come with Safari, Chrome, and Opera. First exposed by Ars Technica, this particular company (Ringleader Digital) made an effort to keep a persistent user ID even when the user deleted cookies and their HTML5 databases, telling Ars that the only way to opt out of the tracking was to use the company's opt-out link (which gives the user no confirmation that they are, in fact, opted out.)

Then there are a number of previous lawsuits over zombie Flash cookies, which have the same goal when it comes to user tracking. They don't want you to delete their info, so they work around it by storing the data in multiple places and restoring it once you delete.

While Internet users wait for software to protect against such extensive tracking, Kamkar did point out that the safe browsing mode in many browsers will probably help for now. "I found that using 'Private Browsing' in Safari stops all evercookie methods," he said.

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui

I think that web browsers should partition all storage in a per-site basis. No system access outside that store neither to browsers nor to plug-ins. That way it would be easy to remove traces or deny access to web-sites.

I marketers they should all be taken out back and ..... (all right not killed)... removed from civilized company(Jailed, horse whipped, run out of town on a rail, tarred and feathered). Especially those who obviously ignore users expressed wishes by restoring things users delete. If a user deletes something it should dammed well stay deleted.

I think that web browsers should partition all storage in a per-site basis. No system access outside that store neither to browsers nor to plug-ins. That way it would be easy to remove traces or deny access to web-sites.

+++ on this. Stored info in the browser needs to be more controlled both what is accessed, and what is stored..

Yep we really need ONE central place where everything from a domain is stored and an easy way to delete everything. If we have 10 different places where information can be stored that gets extremely complicated..

I had to scroll down past the picture before I could begin reading the article. Its just awesomely gross.

I think that the lack of awareness that Cheng and Kamkar mention is really the main reason this issue is not bigger than it already is. I am a WSJ subscriber and a month ago they had a 5 or so article series on how web tracking is an underground business that has really gotten out of hand. That was the first time I had read about the issue apart from my regular reading of Ars. If this same situation was happening with cell phones or even regular land lines, the issue would have already been escalated and taken care of.

I really hope browsers or the W3C develop a single convention for storage of cookies/anything else, so there is only one place and way a malicious developer could store data, thus it could be deleted. I don't know if this is feasible, but I don't see why not.

Even the good old HTTP cookies are there for a reason: HTTP is a stateless protocol and many websites just need a way to keep some state between visits. This has been (and is being) abused but basically you can't do without something like that. What we need is more control for the user to make this into a useful feature.

Anyway, awareness for such things is going down the drain generally. Things like DISQUS are being used for comments on blogs more and more and this damned thing requires you to allow cookies to be read from every website. And nobody cares. Use any sane config with your browser on such a site and you're unable to comment at all there.

By the way, the image looks very much like some japanese foodstuff. I've eaten octopus-filled sweets and they weren't bad at all. Looks yummy!

It would have been nice If he then wrote the API to clear those same cookies to...wouldn't have been nice. But I guess you can't have everything these days. It's either evil or nothing

Such an API would delete the cookies he has created with his program, but not delete the cookies that other websites have created, as browser and plugin security stops websites from deleting content from another website. Something like that would need to be created by browsers.

Flash Player deletes any Local Shared Objects when using the various kind of private modes. I've heard talk from Adobe also about deleting Local Shared Objects when a user deletes cookies through the browser. However, that feature hasn't been added yet but hopefully Adobe and browsers work that out. However, that also means working with Oracle over Java and Microsoft over Silverlight. Plus other plugins people might have, meaning this really needs an open API from the browsers, which hopefully plugin companies will use.

Also browsers need to add an easy way to delete as well HTML5 databases and local storage (warning users that if any HTML5 apps they are using might stop working after they do this).

Getting all these different places to store data in the same place is never going to happen, but allowing users access to delete this content in one area is possible.

Could we maybe get a cookie data generator to stuff so much data back to these things that they give up after their servers collapse under the weight of our data generators? It would serve them right to hit a few thousand of these things a day just to make sure their servers crash outright under the weight of so much useless data. I don't really know how much data they keep but if we could expand it exponentially it would be sweet!

Sounds like its time for browsing from a chroot environment. Then have the entire thing deleted when you close the browser. That or the web needs to go back to being stateless and we figure out a different way to pass on the info we want, when we want, and to who we want.

Chrome on OS X leaves behind sessionData and pngData after clearing cache. Cleared out all the *samy* items I could find, but those remained. I'm assuming sessionData is being stored in RAM, but I thought I'd be able to find pngData fairly easily on disk. Guess it's time to do a bit more research.

I'm surprised that there hasn't been a law passed that outlaws cookies that track our moves. What's the hold up?

Many countries do have laws that limit what kind of personal data organizations can share/track without your knowledge. The hard part is enforcing that on websites that are not hosted in your country, it'll just never happen. There will always be some malicious sites that will keep doing this.

Even after you remove all of the these, the first time you log into a participating service you identify yourself and get retagged.

I seem to recall an article here on browser fingerprinting, where the combination of user agent string, plugins installed, screen resolution, and many other things that are revealed by your browser can positively identify a user from one session to the next. Seems to be only a matter of time before a client fingerprint collection script, a central database, and some fuzzy logic to deal with traveling users and configuration and plugin changes can replace cookies entirely. Then we'll have no way to opt out. There are many people besides marketers who want it that way, including the RIAA, MPAA, various security groups, and many government entities.

Based on all the methods of imprinting and tracking a browser, I'm not sure that this is a war that can ever be won. Right now, I get by with a combination of FlashBlock and BetterPrivacy, in addition to what I think will become ever more popular: Beef Taco. It automatically opts your browser out of over 100 different ad-tracking networks.